Skip to main content
CVE Vulnerability Database

CVE-2025-8405: GitLab CE/EE XSS Vulnerability

CVE-2025-8405 is a cross-site scripting flaw in GitLab CE/EE that enables authenticated attackers to inject malicious HTML and perform unauthorized actions. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-8405 Overview

GitLab patched a high-severity HTML injection vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw resides in vulnerability code flow displays and allows an authenticated attacker to inject malicious HTML. Successful exploitation enables unauthorized actions performed on behalf of other users when they view the affected interface. The issue is tracked under [CWE-116] (Improper Encoding or Escaping of Output) and affects all GitLab versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2.

Critical Impact

An authenticated user can inject HTML into vulnerability code flow displays to perform unauthorized actions against other users, compromising confidentiality and integrity within the GitLab instance.

Affected Products

  • GitLab CE/EE versions 17.1 through 18.4.5
  • GitLab CE/EE versions 18.5 through 18.5.3
  • GitLab CE/EE versions 18.6 through 18.6.1

Discovery Timeline

  • 2025-12-10 - GitLab releases patch versions 18.6.2, 18.5.4, and 18.4.6
  • 2025-12-11 - CVE-2025-8405 published to NVD
  • 2025-12-23 - Last updated in NVD database

Technical Details for CVE-2025-8405

Vulnerability Analysis

The vulnerability stems from improper output encoding in the vulnerability code flow display feature of GitLab. When GitLab renders code flow information associated with detected vulnerabilities, user-controllable input is not properly escaped before being inserted into the HTML response. An authenticated attacker can supply crafted content that the application renders as active HTML markup rather than literal text.

When a victim user views the affected code flow display, the injected markup executes within the victim's browser session and the GitLab origin. This produces a scope change because actions originate from the victim's authenticated context. The attacker can submit forms, trigger API calls, or interact with project resources on behalf of the victim. Exploitation requires user interaction, which means the target must load a page containing the injected payload.

GitLab classifies this issue under [CWE-116], the standard category for output that fails to neutralize special characters before being delivered to a downstream component. The vulnerability does not affect availability, but both confidentiality and integrity within the target user's GitLab session are at risk.

Root Cause

The root cause is missing or insufficient HTML sanitization in the rendering pipeline for vulnerability code flow data. Input fields tied to code flow metadata accept characters that should be HTML-encoded before display. Without proper encoding, attacker-supplied markup is interpreted as part of the page DOM.

Attack Vector

The attack vector is network-based. An attacker with a low-privileged GitLab account injects a crafted payload into a field rendered by the vulnerability code flow display. The attacker then directs or waits for a higher-privileged user to view the affected vulnerability record. When the victim loads the page, the injected HTML executes and performs unauthorized actions against the GitLab API using the victim's session.

No verified public proof-of-concept code is available. Technical details are referenced in the GitLab Issue Discussion and HackerOne Report #3270940.

Detection Methods for CVE-2025-8405

Indicators of Compromise

  • Unexpected GitLab API requests originating from user sessions immediately after loading vulnerability detail pages.
  • Vulnerability records containing HTML tags, <script> fragments, or event handler attributes such as onerror= and onload= in code flow fields.
  • Unauthorized changes to project settings, membership, or tokens performed by users who only viewed vulnerability data.

Detection Strategies

  • Audit GitLab vulnerability records and security finding metadata for raw HTML or JavaScript content in code flow fields.
  • Review web server and Rails application logs for anomalous request bursts coinciding with vulnerability page views.
  • Inspect GitLab audit events for state-changing API calls following navigation to /vulnerabilities/ URLs.

Monitoring Recommendations

  • Forward GitLab audit logs and webhook events to a centralized SIEM and alert on token creation, permission changes, or membership updates immediately after vulnerability page loads.
  • Monitor the GitLab version_check endpoint to ensure all instances run patched versions 18.4.6, 18.5.4, or 18.6.2 or later.
  • Track user-reported anomalies such as unexpected actions, MFA prompts, or session changes that follow viewing of imported security scan results.

How to Mitigate CVE-2025-8405

Immediate Actions Required

  • Upgrade all GitLab CE/EE instances to version 18.6.2, 18.5.4, or 18.4.6 as documented in the GitLab Patch Release Announcement.
  • Restrict project and group membership to trusted users while patching is in progress, since exploitation requires an authenticated account.
  • Review recent vulnerability records imported from security scanners for suspicious HTML content and remove offending entries.

Patch Information

GitLab released fixed versions on December 10, 2025. Administrators must upgrade to GitLab 18.6.2, 18.5.4, or 18.4.6, depending on their current release branch. Self-managed instances should follow the official upgrade path documented in the GitLab Patch Release Announcement. GitLab.com SaaS users are already running the patched code.

Workarounds

  • No official workaround replaces patching. Limit access to vulnerability reports and security dashboards to trusted maintainers until upgrade completion.
  • Enforce a strict Content Security Policy on the GitLab host to reduce the impact of injected inline scripts.
  • Require strong authentication and short session lifetimes for users with elevated GitLab privileges to limit the window in which an injected payload can act.
bash
# Verify installed GitLab version on self-managed instances
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5

# Upgrade example for Omnibus on Debian/Ubuntu
sudo apt update && sudo apt install gitlab-ee=18.6.2-ee.0

# Confirm patched version
sudo gitlab-ctl status && sudo gitlab-rake gitlab:check

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.